Managing It Security


Published on

NDSU 2009 Fall Conference general session PowerPoint.

Published in: Education, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Managing It Security

  1. 1. Managing IT Security for Extension and Outreach Offices<br />Theresa Semmens NDSU Chief IT Security Officer<br />October, 2009<br />
  2. 2. Presentation Outline<br />Security Guidelines<br />Email<br />Workstation<br />Wireless<br />External Mobile Device Security<br />Protection of Confidential and Private Data<br />Online Financial Transactions<br />Those *!@&$ NDSU network services<br />Dual Support with the ND Association of Counties<br />
  3. 3. NDSU E-mail<br />What is secure<br />Encrypted User name and password <br />Email messages and attachments<br />Subject to privacy laws<br />HIPAA<br />GLBA<br />FERPA<br />ND Public Open Records Century Code<br />Using personal e-mail address and equipment for NDSU Business<br />Can be subject to ND Public Open Records Century Code<br />
  4. 4. Workstation<br />Users must have unique login and password<br />Operating system and office software current with latest patches <br />Anti-virus software and firewall installed, enabled and active<br />Confidential/private data is not accessible or viewable by public<br />Log off computer when done or away from desk<br />Set a password protected screensaver<br />
  5. 5. Workstation Area<br />Confidential/sensitive information not available for public view<br />Protected hard copy documentation stored in locked file cabinet<br />Manipulated hard copy documentation<br />Tidy desk area <br />
  6. 6. Wireless Access<br />Wireless access in the office<br /> Open vs. Secured<br />Access available only to those who need it<br />Wireless access outside of the office<br />Public access<br />Not recommended <br />Working with confidential private data<br />Use for personal banking<br />Purchasing merchandise online<br />Use NDSU Webmail client to send and receive email – do not send attachments, message body should not contain sensitive information<br />
  7. 7. Laptop Security<br /><ul><li>Maintain copies of important data somewhere other than the laptop. Consider using an external portable storage device.
  8. 8. Back up all data, and make use of encryption features when you do so.
  9. 9. Hard drive and external storage is encrypted.
  10. 10. Laptop must be labeled and identified</li></li></ul><li>External Media<br />Definition –external hard drives, flash drives, CDROM, DVDR<br />When not in use, keep in safe place.<br />Dispose of properly.<br />Encrypt sensitive data.<br />Share only with those who have a “need to know”.<br />
  11. 11. Phlushing the Phish!<br />What is NDSU doing?<br />What can you do?<br />Recent Spear Phishing Attacks<br />
  12. 12. Confidential/Private Data<br />Defined and classified in NDUS 1901.2<br />Examples: <br />Pesticide Program<br />Master Gardeners<br />4-H<br />Research<br />What is allowable for use and storage<br />
  13. 13. Employees & Volunteers<br />Must sign confidentiality agreements<br />Background checks required*<br />Receive formal, documented training <br />*Above point required if handling electronic financial transactions<br />
  14. 14. Social Security Numbers<br />Do not use as an identifier on <br />Files<br />Spread sheets<br />Data bases<br />Correspondence <br />Any files/documents containing SSN data must be secured and available only to those who have a need to know<br />
  15. 15. Credit Card Information<br />Do not store<br />Full credit card number (only last four digits)<br />CVV2 number<br />Exp. Date<br />Receipts<br />Only allow last four digits on receipt<br />No CVV2 number<br />No exp. Date<br />Do not accept credit card transactions over email<br />If received over voice mail, delete immediately<br />Must have separation of duties for acceptance of credit cards<br />
  16. 16. More Safeguards<br />Non-disclosure (suppression)<br />Farmers/Ranchers<br />Parents<br />Children<br />Requests for lists of members<br />Health questionnaires (4-H)<br />Date of Birth combined with name<br />Information posted to Web sites<br />
  17. 17. Use & Disposal of Protected Data<br />Encrypt or password protect on electronic devices<br />Back up regularly<br />Allow only those who have a need to know access to data<br />Use only where necessary<br />Dispose of properly<br />
  18. 18. Personnel & Volunteer Files<br />Stored in locked cabinet not in public area<br />If request is made to view personnel file<br />Dean and General Counsel to approve request<br />Log request, date, time<br />Viewer must sign log form<br />Only allow what is considered public information to be viewed<br />Purge according to data retention policies<br />Shred with cross cut shredder, burn, using document destruction service<br />
  19. 19. Suspected Data Breach<br />For computer related security issues contact your supervisor<br />Document reasons you suspect breach of data<br />Do not move, touch, alter equipment or anything related to the breach <br />Do not attempt to do your own investigation<br />
  20. 20. NDSU network services<br />E-mail accounts<br />Alias<br />Shared<br />E-mail box space<br />Changing electronic ID<br />Non-employee accounts<br />Affiliate vs. Guest accounts<br />
  21. 21. Alias E-mail Account<br /><ul><li>E-mail message automatically dropped into multiple users e-mail boxes
  22. 22. Does not require password
  23. 23. Owner responsible for removing and adding users</li></ul>Sender<br />Alias<br />Recipient<br />Recipient<br />Recipient<br />
  24. 24. Shared E-mail Account<br /><ul><li>Requires use of Webmail
  25. 25. Requires shared password
  26. 26. Owner required to change password when users leave or are added to group</li></ul>Sender<br />Shared<br />Recipient<br />Recipient<br />Recipient<br />
  27. 27. Electronic ID<br />Official Format = FirstName.LastName<br />Full-time employees and Students can change EID at<br />Non-employees/students must request change<br />Change subject to previous ownership of “name space.”<br />Name change due to marriage/divorce – must go through HR with proper documentation<br />Employees have 500 MB e-mail box. Request to increase must be sent through Helpdesk. <br />
  28. 28. Affiliate vs. Guest Accounts<br />Services available: desktop_auth, Blackboard, Library, Wireless<br />Must be “sponsored” by department<br />Affiliate accounts for periods longer than one week<br />Guest accounts for periods less than one week<br />E-mail requires completion of Non-employee ID form<br />
  29. 29. Managing IT Security for Extension and Outreach Offices<br />Theresa Semmens NDSU Chief IT Security Officer<br />October, 2009<br />